Mitigating denial of service attacks

ABSTRACT

Several methods are disclosed for detecting and mitigating Distributed Denial-of-Service (DDoS) attacks that are intended to exhaust network resources. The methods use DDoS mitigation devices to detect DDoS attacks using operationally based thresholds. The methods also keep track of ongoing attacks, have an understanding of “protected IP space,” and activate appropriate mitigation tactics based on the severity of the attack and the capabilities of the DDoS mitigation devices.

FIELD OF THE INVENTION

The present invention generally relates to network security and, moreparticularly, methods for mitigating Distributed Denial-of-Service(DDoS) attacks on a network.

SUMMARY OF THE INVENTION

In one embodiment of the present invention, a method for mitigating aDDoS attack is disclosed. In this embodiment, a first plurality of DDoSDevices receive network traffic from a network. A traffic rate may beperiodically polled for each of the DDoS Devices.

A throughput capability for each of the DDoS Devices may also bedetermined. The throughput capability may generally be found from thespecification created by the manufacturer for each DDoS Device.

The polled traffic rate may be compared with the throughput capabilityfor each DDoS Device to determine if each DDoS Device can handle itspolled traffic rate without intervention. Past DDoS mitigations may beremoved from each DDoS Device that has a greater throughput capabilitythan its current polled traffic rate.

A malicious traffic rate may be determined for each of the DDoS Devicesby polling each device.

An operational limit capability for each DDoS Devices may be determined.The operational limit capabilities may be determined, for example, bypulling individual device limits from a DDoS Mitigation Traffic Limitsdatabase.

A notification may be sent to a monitor web page for each DDoS Device inthe first plurality of DDoS Devices that has its malicious traffic rateapproach its operational limit capability within a predetermined amount.

For each DDoS Device in the first plurality of DDoS Devices that has itsmalicious traffic rate greater than its operational limit capability, anotification may be sent to the monitor web page and traffic from theDDoS Device may be routed to a second DDoS Device that has anoperational limit capability greater than the malicious traffic rate.

As an enhancement, a malicious traffic rate and an operational limitcapability may be determined for the first plurality of DDoS Devices. Ifthe malicious traffic rate for the first plurality of DDoS Devicesapproaches the operational limit capability for the first plurality ofDDoS Devices within a predetermined amount, a notification may be sentto the monitor web page.

If the malicious traffic rate for the first plurality of DDoS Devices isgreater than the operational limit capability for the first plurality ofDDoS Devices, a notification may be sent to the monitor web page and thenetwork traffic may be swung from the first plurality of DDoS Devices toa second plurality of DDoS Devices.

In another embodiment, DDoS traffic may be identified based upon trafficflow and individual packet payloads utilizing an intrusion detection andprevention engine. A validity of a combination of flag values in aTransmission Control Protocol (TCP) header may be determined. A TCPheader is contained within a TCP packet and defines control data andmetadata about the data section that follows the header. The TCP headeruses flags as control bits that indicate how the packet is to beutilized. The flags are mutually exclusive as defined by the InternetEngineering Task Force and the Internet Society standards body. If thecombination of flag values in the TCP header are not valid, a firstDistributed Denial of Service (DDoS) mitigation may be activated. Anumber of TCP flags received over a first period of time may bedetermined. If the number of TCP flags received over the first period oftime exceeds a first predetermined threshold, a second DDoS mitigationmay be activated. A number of packets received over a second period oftime may be determined. If the number of packets received over thesecond period of time exceeds a second predetermined threshold, a thirdDDoS mitigation may be activated. A number of HTTP or DNS activitiesover a third period of time may be determined. A HTTP or DNS activitymay be defined as the process of using HTTP verbs, DNS queries, orconnections to services. If the number of HTTP or DNS activities overthe third period of time exceeds a third predetermined threshold, afourth DDoS mitigation may be activated.

In another embodiment, a plurality of Intrusion Detection Systems (IDS)may be used to capture a plurality of packet data from network trafficon a network. The plurality of IDS may process the plurality of packetdata. A first one or more statistics may be calculated from theplurality of packet data. A second one or more statistics may be readfrom a traffic stats database. The first one or more statistics may bestored in the traffic stats database. A change in the network trafficmay be determined by comparing the first one or more statistics with thesecond one or more statistics. DDoS mitigation may be activated ormodified based on changes in the network traffic.

Further, a high delta based on the first one or more statistics and thesecond one or more statistics may be determined. Processing theplurality of packet data is preferably done in real time. The first oneor more statistics may be calculated by one or more of the IDS, by aserver or by a combination of IDSs and servers. The change in trafficmay use statistics gathered over a period and preferably a period longerthan 7 days.

Calculating the first one or more statistics from the plurality ofpacket data may use Open Systems Interconnection (OSI) Model layer 3,OSI Model layer 4, or OSI Model layer 7.

In another embodiment, a plurality of Intrusion Detection Systems (IDS)may be used to capture and process data from network traffic on anetwork. An application (piece of software sending the network traffic)and an application rate (the rate at which the application communicatesover the network) corresponding to the data may be determined. A filtermay be generated that is specific to the application. A filter that isspecific for an application may create a pattern that enforces correctapplication behavior and/or communication rate based upon standards andknown normal traffic rates. The filter may consist of, but is notlimited to, patterns to match content within the received packet thatmay be legitimate or illegitimate traffic, valid application traversalpaths, or other identified anomalies within the transmitted traffic. ADDoS mitigation may then be activated or modified using the generatedfilter.

In addition, a first one or more statistics may be calculated from thedata. A second one or more statistics may be read from a traffic statsdatabase. The first one or more statistics may be stored in the trafficstats database for later use. In preferred embodiments, a plurality oflong term statistics may be calculated using at least the second one ormore statistics and a plurality of high application rates with lowvariation based on the plurality of long term statistics may bedetermined. The data from the network traffic is preferably taken froman Open Systems Interconnection (OSI) Model layer 3, OSI Model layer 4,and/or OSI Model layer 7.

The above features and advantages of the present inventions will bebetter understood from the following detailed description taken inconjunction with the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates a possible embodiment of a system for the rapiddetection and mitigation of threats to a network.

FIG. 2 is a flow diagram illustrating a possible embodiment of a methodfor rapid detection and mitigation of threats to a network.

FIG. 3 is a flow diagram illustrating a possible embodiment of a methodfor rapid detection and mitigation of threats to a network.

DETAILED DESCRIPTION

The present inventions will now be discussed in detail with regard tothe attached drawing figures, which were briefly described above. In thefollowing description, numerous specific details are set forthillustrating the Applicant's best mode for practicing the inventions andenabling one of ordinary skill in the art to make and use theinventions. It will be obvious, however, to one skilled in the art thatthe present inventions may be practiced without many of these specificdetails. In other instances, well-known machines, structures, and methodsteps have not been described in particular detail in order to avoidunnecessarily obscuring the present inventions. Unless otherwiseindicated, like parts and method steps are referred to with likereference numerals.

The invention will now be described with reference to FIG. 1. A network106 is a collection of links and nodes (e.g., multiple computers and/orother devices connected together) arranged so that information may bepassed from one part of the network 106 to another over multiple linksand through various nodes. Examples of networks include the Internet,the public switched telephone network, the global Telex network,computer networks (e.g., an intranet, an extranet, a local-area network,or a wide-area network), wired networks, wireless networks, and hybridnetworks. While a network 106 may be owned and operated by a pluralityof companies, partnerships, individuals, etc., the network 106 in thepresent invention is preferably owned and operated by a single entity,such as a company, partnership or individual that is trying to increasethe security of its network 106.

The Internet is a worldwide network of computers and computer networksarranged to allow the easy and robust exchange of information betweencomputer users. Hundreds of millions of people around the world haveaccess to computers connected to the Internet via Internet ServiceProviders (ISPs). Content providers (e.g., website owners or operators)place multimedia information (e.g., text, graphics, audio, video,animation, and other forms of data) at specific locations on theInternet referred to as webpages. Websites comprise a collection ofconnected or otherwise related webpages. The combination of all thewebsites and their corresponding webpages on the Internet is generallyknown as the World Wide Web (WWW) or simply the Web. Network servers maysupport websites that reside on the Web.

When an external user accesses the network 106 via the Internet, theexternal user will have an associated IP address and possibly a usernamethat the network 106 uses to identify the user. The IP address of theexternal user is needed so the network 106 can send information to theexternal user. The external user may be a legitimate customer/user ofthe network 106, a hacker or malicious attacker of the network 106 ormay be a legitimate customer's computer that has been taken over by ahacker or malicious attacker of the network 106. If the external user isa threat to the network 106, the invention takes action to mitigate thethreat. The external user may only access the network 106 through theone or more security devices.

The network 106 may also include one or more internal users of thenetwork 106 who may also be identified with an IP address or a username.Internal users may also be monitored with the present invention. Alltraffic from internal users is preferably directed through the one ormore security devices. While internal users are generally less likely tobe a hacker or malicious user, the traffic from internal users may alsobe screened by the one or more security devices.

A network 106 may include one or more security devices. Preferably, alltraffic entering the network 106, enters the network 106 through asecurity device. Traffic may be broken down into packets with eachpacket containing control and user data.

As non-limiting examples, the one or more security devices may include aManaged DDoS Mitigation Device 100, DDoS Management Device 101,Unmanaged DDoS Mitigation Device (also known as a Standalone DDoSDevice) 102, Intrusion Protection System (IPS), Intrusion DetectionSystem (IDS) 104, network device or some combination thereof. Thenetwork device may be, as non-limiting examples, a router, switch,firewall, or load balancer. The IDS 104 may be a device or softwareapplication running on a server that monitors network or systemactivities for malicious, policy violating, or business disruptionpatterns.

Traffic refers to electronic communication transmitted into, out of,and/or within the network 106. A traffic rate may be calculated for adevice by dividing the amount of traffic handled by the device over agiven period of time. The network 106 is preferably configured so thatall traffic incoming, outgoing and within the network 106 must passthrough the one or more security devices. This allows the maximum amountof traffic to be monitored with the fewest number of security device(s).While not all traffic in the network 106 has to pass through the one ormore security devices, the present invention only detects and mitigatesthreats from traffic that does pass through the one or more securitydevices. Thus, to maximize the effectiveness of the present invention,as much of the network 106 traffic as possible, and preferably all ofthe network traffic, passes through the one or more security devices.

It is becoming increasingly common for networks, typically ofcorporations or governments, to be attacked. One method of attacking anetwork 106 is through the use of a Distributed Denial-of-Service (DDoS)attack. A DDoS attack typically floods the targeted network 106 withcommunication requests which prevent or slows the network 106 inresponding to legitimate network 106 traffic. A DDoS attack is anattempt to make a network 106 (or resources that comprise the network106) unavailable for its intended users. A DDoS attack tries to overloada network 106 and its resources and render the network 106 unusable.

Methods of creating a DDoS attack are, unfortunately, well known andeasily discovered on the Internet. The perpetrator of a DDoS attack mustfirst gain control over a number of compromised computers. Typically,the larger the number of compromised computers, the larger and moredamaging the DDoS attack. The DDoS attack is initiated by theperpetrator ordering the compromised computers under the perpetrator'scontrol to request services or otherwise engage the network 106 over aperiod of time. The service requests are typically those that place asubstantial burden on the resources of the network 106. The combinedtraffic generated by the compromised computers aimed at the network 106is referred to as the DDoS traffic. DDoS traffic may be expressed interms of the total amount of data received or, preferably, the amount ofdata received over a period of time.

FIG. 2 illustrates one embodiment of the present invention formitigating a DDoS attack. In this embodiment, a first plurality of DDoSDevices 100, 101, 102 may receive network traffic for a network 106.Preferably, all network traffic enters the network 106 through the firstplurality of DDoS Devices 100, 101, 102 and/or IDS 104. A traffic ratemay be periodically polled for each of the DDoS Devices 100, 101, 102and IDS 104 by one or more Rsyslog server(s) 103. (Step 200)

A throughput capability, or DDoS mitigation rate, for each of the DDoSDevices may also be determined. (Step 201) The throughput capability orDDoS mitigation rate is a rate in pps (packets per second) and/or bps(bits per second) that malicious traffic is dropped or disrupted. Thethroughput capability or DDoS mitigation rate may be found from thespecification created by the manufacturer for each DDoS Device or fromempirical testing.

The polled traffic rate may be compared with the throughput capabilityfor each DDoS Device to determine if each DDoS Device can handle itspolled traffic rate without intervention. (Steps 202, 204) Interventionmay include the act of manually modifying settings on DDoS Devicesand/or distribution of DDoS attacks to DDoS mitigation devices toimprove performance. Past DDoS mitigations may be removed from each DDoSDevice that has a greater throughput capability than its current polledtraffic rate. (Step 203) Specifically, a mitigation from a DDoSmitigation device may be removed that is no longer required to stop theDDoS attack from disrupting service to the network 106.

A malicious traffic rate, or the rate at which traffic is beingidentified as unwanted and subsequently dropped from the transmissionpath, may be determined for each of the DDoS Devices by polling eachdevice. (Step 205)

An operational limit capability for each DDoS Devices may be determined,for example, by pulling individual device limits from a DDoS MitigationTraffic Limits database. (Step 206) An operational limit capability isthe maximum rate in pps (packets per second) and/or bps (bits persecond) that a device can process without dropping packets.

A notification may be sent to a monitor web page for each DDoS Device inthe first plurality of DDoS Devices that has its malicious traffic rateapproach its operational limit capability within a predetermined amount.(Steps 207, 208, 213) A notification to a monitor web page may be anaudible or visual alert communicated to a web page which will displayand/or play the alert.

For each DDoS Device in the first plurality of DDoS Devices that has itsmalicious traffic rate greater than its operational limit capability, anotification may be sent to the monitor web page and traffic from theDDoS Device may be routed to a second DDoS Device that has anoperational limit capability greater than the malicious traffic rate.(Steps 209, 210, 213) This process may include moving traffic from aDDoS Device which cannot handle inspecting the amount of traffic(measured in pps/bps), to a higher performing device that can handlenetwork traffic.

As an enhancement, a malicious traffic rate and an operational limitcapability may be determined for the first plurality of DDoS Devices. Ifthe malicious traffic rate for the first plurality of DDoS Devicesapproaches the operational limit capability for the first plurality ofDDoS Devices within a predetermined amount, a notification may be sentto the monitor web page. (Step 213) If the malicious traffic rate forthe first plurality of DDoS Devices is greater than the operationallimit capability for the first plurality of DDoS Devices, a notificationmay be sent to the monitor web page and the network traffic may be swungfrom the first plurality of DDoS Devices to a second plurality of DDoSDevices. (Steps 211, 212, 2013) This process may include shifting thenetwork traffic's path so that it flows to a different location (and adifferent plurality of DDoS Devices) that may or may not begeographically different.

FIG. 3 illustrates another embodiment of the present invention. Networktraffic (including DDoS traffic) is initially routed through one or moresecurity device (IDS Server 104 is shown in FIG. 3 as a non-limitingexample) and may be identified based upon traffic flow (as examples,repetitive requests either from or to the same IP address) and/orindividual packet payloads utilizing an intrusion detection andprevention engine. (Steps 300, 301) An intrusion detection andprevention engine may include analytical software utilized to inspectfor known patterns. A validity of a combination of flag values in aTransmission Control Protocol (TCP) header may be determined by anintrusion detection and prevention engine. If the combination of flagvalues in the TCP header are not valid, a first DDoS mitigation may beactivated. (Steps 302, 305)

A number of TCP flags received over a first period of time may bedetermined. If the number of TCP flags received over the first period oftime exceeds a first predetermined threshold, a second DDoS mitigationmay be activated. A number of packets received over a second period oftime may be determined. If the number of packets received over thesecond period of time exceeds a second predetermined threshold, a thirdDDoS mitigation may be activated. (Steps 303, 305) This data may bepulled from the Open Systems Interconnection (OSI) Model layer 3 and/orOSI Model layer 4 of the network traffic. A number of HTTP or DNSactivities over a third period of time may be determined. This data maybe pulled from the OSI Model layer 7 of the network traffic. If thenumber of HTTP or DNS activities over the third period of time exceeds athird predetermined threshold, a fourth DDoS mitigation may beactivated. (Steps 304, 305)

In another embodiment illustrated in FIG. 3, a plurality of IDS may beused to capture a plurality of packet data from network traffic into anetwork 106. (Step 306) The plurality of IDS, or other suitableautomated means, may process the plurality of packet data. (Step 307) Afirst one or more statistics may be calculated from the plurality ofpacket data. (Step 308) The statistics may vary per applications, butcould be, as non-limiting examples, TCP header information such as whichsource/destination IP from/to with which TCP flags and which source anddestination port over time, HTTP verbs over time and/or gets or queriesfor websites/domains over time.

A second one or more statistics may be read from a traffic statsdatabase 313. The first one or more statistics may be stored in thetraffic stats database 313. (Step 311) A change in the network trafficmay be determined by comparing the first one or more statistics with thesecond one or more statistics. DDoS mitigation may be activated ormodified based on changes in the network traffic. (Step 305)

Further, a high delta based on the first one or more statistics and thesecond one or more statistics may be determined. (Step 312) Processingthe plurality of packet data is preferably done in real time. The firstone or more statistics may be calculated by one or more of the IDS, by aserver or by a combination of IDS and servers. The change in traffic maybe determined using statistics gathered over a given period of time.Calculating the first one or more statistics from the plurality ofpacket data may use OSI Model layer 3, OSI Model layer 4, and/or OSIModel layer 7.

In a preferred embodiment of calculating one or more statistics, a mean(z) for a running number of x minute samples (x is preferably between 1and 5) may be calculated. If the standard deviation of a new sample isabove y (a set deviation derived from all previous samples) and thesample is higher than the average, a mitigation on the end point may bestarted. If the standard deviation is lower than y, the new sample maybe added to the running number of x minute samples to produce a new mean(z) and y may be adjusted accordingly.

In another embodiment illustrated in FIG. 3, a plurality of IDS may beused to capture, process, and calculate statistics from data in networktraffic entering a network 106. (Steps 306, 307, 308) An application andan application rate corresponding to the data may be determined. (Step315) A first one or more statistics may be calculated from the data. Asecond one or more statistics may be read from a traffic stats database313. The traffic stats database 313 may be stored on a hard disk driveor other data storage device so that statistics may be used to discovertrends in traffic. The first one or more statistics may be stored in thetraffic stats database 313 for later use. In preferred embodiments, aplurality of long term statistics may be calculated using at least thesecond one or more statistics and a plurality of high application rateswith low variation based on the plurality of long term statistics may bedetermined. (Step 316) The data from the network traffic is preferablytaken from an Open Systems Interconnection (OSI) Model layer 3, OSIModel layer 4, and/or OSI Model layer 7. A filter may be generated thatis specific to the application. (Step 317) A DDoS mitigation may then beactivated or modified using the generated filter. (Step 306)

Other embodiments and uses of the above inventions will be apparent tothose having ordinary skill in the art upon consideration of thespecification and practice of the inventions disclosed herein. Thespecification and examples given should be considered exemplary only,and it is contemplated that the appended claims will cover any othersuch embodiments or modifications as fall within the true scope of theinventions.

The Abstract accompanying this specification is provided to enable theUnited States Patent and Trademark Office and the public generally todetermine quickly from a cursory inspection the nature and gist of thetechnical disclosure and in no way intended for defining, determining,or limiting the present inventions or any of its embodiments.

The invention claimed is:
 1. A method, comprising the steps of: a)polling a traffic rate for each Distributed Denial-of-Service (DDoS)Device in a first plurality of DDoS Devices, wherein the first pluralityof DDoS Devices is receiving a network traffic entering a network; b)determining a throughput capability for each DDoS Device in the firstplurality of DDoS Devices; c) determining whether each DDoS Device inthe first plurality of DDoS Devices can handle its polled traffic ratewithout intervention by comparing its polled traffic rate with itsthroughput capability; d) for each DDoS Device in the first plurality ofDDoS Devices that can handle its polled traffic rate withoutintervention, removing a past DDoS mitigation; e) determining amalicious traffic rate for each DDoS Device in the first plurality ofDDoS Devices; f) determining an operational limit capability for eachDDoS Device in the first plurality of DDoS Devices; g) for each DDoSDevice in the first plurality of DDoS Devices that has its malicioustraffic rate approach its operational limit capability within apredetermined amount, sending a notification to a monitor web page; andh) for each DDoS Device in the first plurality of DDoS Devices that hasits malicious traffic rate greater than its operational limitcapability, sending a notification to the monitor web page and routingtraffic from the DDoS Device to a second DDoS Device that has anoperational limit capability greater than the malicious traffic rate. 2.The method of claim 1, further comprising the steps of: i) determining amalicious traffic rate for the first plurality of DDoS Devices; j)determining an operational limit capability for the first plurality ofDDoS Devices; and k) if the malicious traffic rate for the firstplurality of DDoS Devices approaches the operational limit capabilityfor the first plurality of DDoS Devices within a predetermined amount,sending a notification to the monitor web page.
 3. The method of claim2, further comprising the step of: i) if the malicious traffic rate forthe first plurality of DDoS Devices is greater than the operationallimit capability for the first plurality of DDoS Devices, sending anotification to the monitor web page and swinging the network trafficfrom the first plurality of DDoS Devices to a second plurality of DDoSDevices.
 4. A method, comprising the step of: identifying DDoS trafficbased upon a traffic flow and a plurality of individual packet payloadsutilizing an intrusion detection and prevention engine, the identifyingstep comprising the steps of: i) determining a validity of a combinationof flag values in a Transmission Control Protocol (TCP) header; ii) ifthe combination of flag values in the TCP header are not valid,activating a first Distributed Denial of Service (DDoS) mitigation; iii)determining a number of TCP flags received over a first period of time;iv) if the number of TCP flags received over the first period of timeexceeds a first predetermined threshold, activating a second DDoSmitigation; v) determining a number of packets received over a secondperiod of time; vi) if the number of packets received over the secondperiod of time exceeds a second predetermined threshold, activating athird DDoS mitigation; vii) determining a number of HTTP or DNSactivities over a third period of time; and viii) if the number of HTTPor DNS activities over the third period of time exceeds a thirdpredetermined threshold, activating a fourth DDoS mitigation.
 5. Amethod, comprising the steps of: a) a plurality of Intrusion DetectionSystems (IDS) capturing a plurality of packet data from a networktraffic entering a network; b) the plurality of IDS processing theplurality of packet data; c) calculating a first one or more statisticsfrom the plurality of packet data; d) reading a second one or morestatistics from a traffic stats database; e) storing the first one ormore statistics in the traffic stats database; f) determining a changein the network traffic by comparing the first one or more statisticswith the second one or more statistics; and g) activating or modifyingDDoS mitigation based on the change in the network traffic.
 6. Themethod of claim 5, further comprising the step of: h) determining a highdelta based on the first one or more statistics and the second one ormore statistics.
 7. The method of claim 5, wherein the processing theplurality of packet data is done in real time.
 8. The method of claim 5,wherein the calculating the first one or more statistics is performed byone or more of the IDS.
 9. The method of claim 5, wherein thecalculating the first one or more statistics is performed by a server.10. The method of claim 5, wherein the determining the change in thenetwork traffic comprises the steps of: i) calculating a first mean fora running collection of samples; ii) collecting a new sample; iii)calculating a standard deviation of the new sample; iv) if the standarddeviation of the new sample is above a set deviation derived from therunning collection of samples and the new sample is higher than thefirst mean, then starting a mitigation on an end point; and v) if thestandard deviation of the new sample is lower than the set deviationderived from the running collection of samples, then adding the newsample to the running collection of samples to produce a second mean.11. The method of claim 5, wherein the calculating the first one or morestatistics from the plurality of packet data uses Open SystemsInterconnection (OSI) Model layer
 3. 12. The method of claim 5, whereinthe calculating the first one or more statistics from the plurality ofpacket data uses Open Systems Interconnection (OSI) Model layer
 4. 13.The method of claim 5, wherein the calculating the first one or morestatistics from the plurality of packet data uses Open SystemsInterconnection (OSI) Model layer
 7. 14. A method, comprising the stepsof: a) a plurality of Intrusion Detection Systems (IDS) capturing a datafrom a network traffic entering a network; b) the plurality of IDSprocessing the data; c) determining an application corresponding to thedata; d) determining an application rate for the application using thedata; e) generating a filter that is specific to the application; and f)activating or modifying a DDoS mitigation using the generated filter.15. The method of claim 14, further comprising the steps of: g)calculating a first one or more statistics from the data; h) reading asecond one or more statistics from a traffic stats database; and i)storing the first one or more statistics in the traffic stats database.16. The method of claim 14, further comprising the steps of: g)calculating a plurality of long term statistics using at least thesecond one or more statistics; and h) determining a plurality of highapplication rates with low variation based on the plurality of long termstatistics.
 17. The method of claim 14, wherein generating the filterthat is specific to the application is done in real time.
 18. The methodof claim 14, wherein the data from the network traffic is taken from anOpen Systems Interconnection (OSI) Model layer
 3. 19. The method ofclaim 14, wherein the data from the network traffic is taken from anOpen Systems Interconnection (OSI) Model layer
 4. 20. The method ofclaim 14, wherein the data from the network traffic is taken from anOpen Systems Interconnection (OSI) Model layer 7.